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Abstract 

Given a function / as an oracle, the collision problem is to find two distinct inputs i and 
j such that f(i) = f(j), under the promise that such inputs exist. Since the security of 
many fundamental cryptographic primitives depends on the hardness of finding col·lisions, 
quantum lower bounds for the collision problem would provide evidence for the existence 
of cryptographic primitives that are immune to quantum cryptanalysis. 

In this paper, we prové that any quantum algorithm for finding a collision in an r-to-one 
function must evaluate the function Í2 ((n/r) 1 / 3 ) times, where n is the size of the domain 
and r|n. This improves the previous best lower bound of ((n/r) 1 / 5 ) evaluations due to 



Aaronson [ quant-ph/0111102 | , and is tight up to a constant factor. 

Our result also implies a quantum lower bound of íí (n 2 / 3 ) queries to the inputs for 
the element distinctness problem, which is to determine whether or not the given n real 
numbers are distinct. The previous best lower bound is £1 (y/n) queries in the black-box 
model; and O (y/n\og n) comparisons in the comparisons-only model, due to H0yer, Neerbek, 



and Shi [ICALP'01, |quant-ph/0102078|1 . 
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1 Introduction and summary of results 



The exponential speed-up of Shor's quantum algorithm for integer factorization [^ÏJ over the 
best known classical algorithm has inspired scientists of many fields to explore the power 
of quantum computing. On the other hand, understanding the limitations of quantum 
computing is also of great importance. Identifying problems that are hard for quantum 
computers can not only deepen our knowledge on the power of quantum computing, but is 
also necessary for developing a new cryptography immune to quantum cryptanalysis. 

Given a function / as an oracle, the collision problem is to find two distinct inputs 
i and j such that f(i) = f(j), under the promise that such inputs exist. This paper 
concerns the r-to-one collision problem, in which the oracle is promised to be r-to-one, 
for some integer r fixed in advance. The case r = 2 is important because random two- 
to-one functions are considered good models of collision intractable functions, which is 
a fundamental cryptographic primitive. An exponential (in logn) quantum lower bound 
would be evidence for the existence of collision intractable functions for quantum computers. 

Other motivations of our study arise from the close connection of our problem to other 
widely-studied problems. An example is the hidden subgroup problem, in which the input is 
some r-to-one function with additional promises. The Abelian case of the hidden subgroup 
problem can be solved emciently by a natural generalization of the well-known quantum 



algorithms of Simón |2^] and Shor 22], while the non- Abelian case is one of the major 
challenges in the design of fast quantum algorithms (refer to Grigni, Schulman, Vazirani, 
and Vazirani (ï*|] for a rencent development). A quantum lower bound for Collision would 
illuminate our understanding of the problem structures that allow or disallow a quantum 
speed-up. 

It is not hard to see that Q(y/n/r) evaluations are sufficient and necessary for classical 
algorithms to solve the r-to-one Collision. Interestingly, quantum computers can do much 
better: using Grover's quantum search algorithm in a novel way, the quantum algorithm 
found by Brassard, H0yer, and Tapp |J makes only O ((n/r) 1 / 3 ) evaluations. Despite much 
research effort, no lower bound better than constant had been found until very recently, 
when Aaronson proved the ground-breaking Q, ((n/r) 1 / 5 ) lower bound [|]]. In this paper, 
we improve the lower bound to the tight bound. 

Theorem 1.1 (Lower bound for Collision). Let n > and r > 2 be integers with r\n, 
and let a function of domain size n be given as an oracle with the promise that it is eíther 
one-to-one or r-to-one. Then any error-bounded quantum algorithm for distinguishing these 
two cases must evaluate the function Cl ((n/r) 1 / 3 ) times. Thus, finding a collision in an 
r-to-one function of domain size n requires £1 ((n/r) 1 / 3 ) evaluations. 

Denote the set {1, 2, • • • , n} by [n]. It remains an open problem whether or not our lower 
bound still holds if the range of oracle is restricted to [n]. This is because Theorem 1.1 is 
proved by considering oracles with range [3n/2]. Nevertheless, for the small range case, we 
are able to improve Aaronson's ((n/r) 1 / 5 ) lower bound [Q] to ((n/r) 1 / 4 ). 

Theorem 1.2 (Lower bound for Collision with small range). Let n > and r > 2 

be integers with r\n, and a function from [n] to [n] is given as an oracle with the promise 
that it is either one-to-one or r-to-one. Then any quantum algorithm for distinguishing 
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these two cases must evaluate the function íí ((n/r) 1 / 4 ) Urnes. Thus, finding a collision in 
an r-to-one function from [n] to [n] must evaluate the function íl ((n/r) 1 / 4 ) times. 

Given n real numbers, are they all distinct? This is the classical problem of Element 
Distinctness, studied by many authors in the classical setting. A simple algorithm would be 
to sort the numbers using O(nlogn) comparisons, and then check the equality of neighbor- 
ing numbers. This is essentially optimal classically, as suggested by the many Í2 (n log n) 
lower bounds in various classical models. In contrast, with another creative use of Grover's 



algorithm [15], the quantum algorithm found by Buhrman, Dürr, Heiligman, H0yer, Mag- 
niez, Santha, and de Wolf [Ï0|lmakes only 0(n 3 / 4 logn) comparisons. Collision and Element 
Distinctness are closely related, as we can see from the following well-known reduction: 

Reduction 1.3 (From Two-to-one Collision to Element Distinctness). Run the algorithm 
for Element Distinctness on the restriction of the oracle function on a random set of Q(y/n) 
inputs. If the oracle is two-to-one, a collision will be found with high probability, by the 
Birthday Paradox. 

Therefore, Theorem |LÏ| implies, 

Corollary 1.4 (Lower bound for Element Distinctness). Any quantum algorithm 
that accesses the inputs through an oracle and solves the element distinctness problem of n 
real numbers must make Q (n 2 / 3 ) oracle queries. If only comparisons are allowed, the same 
number of comparisons are requíred. 

The previous best known quantum lower bound is (y/n) queries to the inputs, which 
can be obtained by a simple reduction from the search problem; and Q ( -y/n logn) compar- 



isons in the comparisons-only model, due to Hoyer, Neerbek, and Shi [16]. The gap between 
our lower bound and the O (n 3 / 4 log n) upper bound of Buhrman et al. [[ÜJ remains to be 
closed. The strongest classical lower bound is the fi (n log n) lower bound on the depth 
of randomized algebraic decision trees, due to Grigoriev, Karpinski, Meyer auf der Heide, 
and Smolensky [14]. For classical lower bounds in weaker models refer to the papers by 



Ben-Or M, Steele and Yao 24], and, Dobkin and Lipton [12]. 

Remark 1.5. The worse-case and average-case complexities of the collision problems con- 
sidered here are the same because of their symmetry. The reader may find it helpful to 
regard the problems as bipartite graph properties, and the inputs as bipartite graphs. 



2 Proof outline and previous works 
2.1 Proof outline 

From now on, we shall refer to distinguishing an r-to-one function from a one-to-one function 
as the r-to-one problem, and denote it by D r -+i, or D r ^i(n, N) when the domain and range 
sizes are n and N, respectively. For simplicity, we shall deal with r = 2 in this section. 

Our proof for Theorem |1.1| takes two steps: first we reduce to -D2— >i a new problem 
Half -two-to-one, which is then shown to have an f2 (n 1 / 3 ) lower bound. Denote the set 
{§ + l,f + 2,··· ,n} by [§+] (niseven). 
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Definition 2.1. Let n > be an integer and 4|n. In the half-two-to-one problem, or 

1/2 

D 2 _^i(n,n) for short, a function from [n] to [n] is given as an oracle with the promise that 
half of the inputs are two-to-one mapped to [f +], and the other half are mapped to 
either one-to-one or two-to-one. The problem is to distinguish these two cases. 

1/2 

Lemma 2.2. D 2 _^ 1 (n,n) can be reduced to Z?2-»i(w, 3n/2) with a constant factor slow- 
down. 

Theorem 2.3. Any quantum algorithm for D 2 ^-,(n,n) requires ^(n 1 / 3 ) evaluations. 

The reduction is done by exploring the symmetry of the problems, and by using the 
following important fact: on the n/2 inputs mapped to [§+], / can be modified to be 
one-to-one mapped to [3n/2]\[n/2], without much slow-down. 

We prové Theorem |2.3| by using the polynomial method of Beals, Buhrman, Cleve, 
Mosca, and de Wolf ||, and Aaronson [|J with new ideas. More specifically, let us fix a 

1/2 — 

T-queries algorithm A for D 2 _^ 1 (n,n). First we symmetrize A to obtain A so that running 
A on any input / is equivalent to running A on a random input / "isomorphic" to /. Then 
we run A on the oracle f m ,g, the function g-to-one mapped to [n/2] on the first m inputs 
and two-to-one mapped to [§+] on the remaining. 

Following an important observation of Beals et al. || that relates the number of quantum 
queries to polynomial degrees, and from the nice symmetry of A, the acceptance probability 
P(f m g) turns out to be a polynomial in m and g with degree < 2T. In addition, for all m 
and g such that f m ^ g is well-defined, P(f m ,g) £ [0, 1]; and, there is a gap between P(fn 1 ) 
and P(fí t 2)· These two nice properties enable one to apply a theorem by Paturi |Ï9| to 
prové the desired lower bound for deg(P(/ m>fl )). We point out that essentially Paturi's 
theorem follows from both Markov Inequality and Bernstein Inequality, two fundamental 
theorems in approximation theory that give good lower bounds for polynomial degrees. 



For proving Theorem 1.2, we need the following additional idea. Given an algorithm for 
Z?2— i-i(n, n), we modify the algorithm so that it can be run on inputs that are only partially 
defined: Whenever the algorithm queries an undefined input, we force the algorithm to abort 



on the corresponding base vector. The rest of the proof is similar to that for Theorem 1.1 

Remark 2.4- Running the symmetrized algorithm on a fixed input is equivalent to running 
the algorithm on some random input, as treated by Aaronson Q. However, we feel that 
our treatment explores the symmetry of the problem more explicitly and thus makes it less 
mysterious that the acceptance probability turns out to be a polynomial. 

2.2 Relation with previous works 

Aaronson introduces the following original lower bound idea, which we shall refer to 
as the derived polynomial method: run the given T-queries algorithm on f y , a probability 
distribution determined by a parameter y. A new polynomial on y of 0(T) degree is 
derived from the average acceptance probability, and is then shown to have high degree 
by other methods. He is also the first to consider running the given algorithm on almost 



g-to-one functions for arbitrary g. We follow this approach in proving Theorem 2.3 and 
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improve his proof in the following ways: (1) The derived polynomial method seems to be 
more effective on Half-two-to-one than on Two-to-one itself. This is because the structure of 
Half-two-to-one yields a polynomial that has a gap around m = n/2, while the range of m is 
[0, n\. This feature, lacking in ||], is very important because it allows one to apply Bernstein 
Inequality, which in general gives a better degree lower bound than Markov Inequality if the 
function value has a sudden change close to the center of the domain. (2) The corresponding 
input distributions in our proofs are more natural and effective. As consequences, not only 
the ranges of the parameters are larger, but also the acceptance probabilities are exactly 
polynomials, instead of being close to a polynomial as in Mi. Thus better lower bounds can 
be obtained with simpler àlgebra. 

It seems to us that our partial input idea was not used before. Another novel way of 
manipulating inputs for proving quantum lower bounds is used by Ambainis 0, where an 
adaptive adversary changes the input according to the performance of the algorithm. 

Our problem can be formulated in the black-box computatíon model, a model widely 
studied in recent years due to both its simplicity and its power in modeling many natural 
problems. For other techniques for proving quantum lower bounds in this model, and 
quantum black-box computation in general, refer to the excellent survey of Ambainis 

We remark that previous approaches for proving degree lower bounds for (partial) 
Boolean functions can be interpreted in the light of the derived polynomial method. For 
example, the symmetrízation method, introduced by Minsky and Papert [17] and used by 
Paturi [19| and Nisan and Szegedy |Ï8|] , symmetrizes a Boolean function uniformly over all 
permutations of the Boolean variables. Another example, the linear approxímatíon tech- 
nique used by Shi |PQ| , averages a Boolean function by tossing independent coins for each 
Boolean variable, and the mean value of each coin is a linear function of a single parameter. 

The rest of this paper is organized as follows. In Section |||, we define the black-box 
model, introduce some notations, and state theorems from approximation theory which our 
proofs final·ly rely on the theorem of Paturi [19|. We then prové our lower bound for the 
general case of Collision in Section |4], which is followed by the proof for the special case of 
small range. Finally, we discuss some open problems. 



3 Preparat ions for the proofs 

Let n > and N > be integers and T '■= J-{n,N) be the set of all functions from [n] 
to [N]. Let / £ J- be given as an oracle. Following Beals et al. ||, we give the following 
definition of the black-box model, customized to our setting. 

A quantum black-box algorithm works in a Hilbert space of dimension n 2 L, for some 
L := L(n) < +oo. An orthonormal basis is chosen and denoted by 

{\m\i)-hj^nie[L}}. 

For j £ [N] and f £ [N], define j + f mod N := i + j - [(i + j + 1)/JVJ • N. An oracle 
gate is the following unitary operator determined by /: 

O f \i,j,l) := |t, f(Í)+j mod N, l), \/i £ [n],j £ [N],l £ [L]. 

A quantum black-box algorithm that makes T queries consists of T + 1 unitary operators, 
Uq, Ui, • • • , Ut, and a projection operator P, on the Hilbert space. It starts with a constant 
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vector denoted by |0), then applies the following sequence of operators: 

U -» 0/ -»■ Ui -»• ► U T _! -»■ 0/ -»■ U T -»■ P. 

The acceptance probability is 

P(f) := ||PUtO / U t _ 1 ···O / U |0)|| 2 . 

We say that the algorithm computes a function </> : T D T' — > {0, 1} , where J 7 ' Ç J 7 , 
with error probability bounded by e if for every / G J 7 ', |P(/) — </>(/) | < £■ The quantum 
complexity of 4> is the minimal integer T such that there exists a quantum algorithm that 
computes <j) with T queries and errs with a probability bounded by 1/3. 

As before, for all i G [n] and j G [A^, the predicate Sij(f) := 1 if and only if f(i) = j. 
Observe that for all i, j, l, and /, 

N 

O f \i,j,l) = kfU)\h 3+f mod N, l). 

j>=\ 

Since all Uj and P are linear transformations, we have the following important observation 
by Beals et al. [0], in the form stated in Aaronson [j^]: 

Lemma 3.1. The acceptance probability P(f) can be expressed as a polynomial over the 
predicates dij, i £ [n],j £ [N], and deg(P) < 2T. 

Let T* := F*(n,N) denote the set of all partial functions from [n] to [N]. Denote the 
domain and image of a function /* by dom(/*) and img(/*), respectively. Any /* G T* can 
be conveniently represented as a subset of [n] x [N], i.e., /* = {(i, f*(i)) : i G dom(/*)}. For 
a finite set K Ç Z + , let SG(K) denote the group of permutations on K. Any permutation in 
SG(K) is understood as the identity mapping on any k' £ K. For any integer k > 0, SG(k) 
is a shorthand for SG([k]). For each a G SG(n) and r G SG(N), define : T* -> .F* as 

r-(D := {(a(i),r(j)) : (i, j) G f } , V/* G .T . 

For all s G J 7 * , the predicate I s : T* — > {0, 1} is defined as follows: 

/»(/*) :=i <=> sçf, Vf er. 

Fix a quantum black-box algorithm that queries T times. By Lemma |3.1| , the acceptance 
probability can be written as 

s6.F*,card(s)<2T 

Now proving a quantum lower bound is reduced to proving a lower bound on deg(P), for 
which we will resort to the following two fundamental theorems from approximation theory. 
For any function q : R — > R, and any set DÇl, let denote sup{|g(a)| : a G D}. 

Theorem 3.2 (Markov Inequality). For any polynomial q(a) G R[a] with degree d and 
IMI[-l,l] = 

II 'II ^ j2 

IMI[-1,1] " d • 
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Theorem 3.3 (Bernstein Inequality). For any polynomial q(a) G R[a] with degree d 
and llgll^^] = l, 

tf(a)\ <-=£=, Va G (-1,1). 
Vi — Or 

The proofs for the above theorems can be found in Chapter 4 of the book by Devore and 
Lorentz [11]. We will actually use the following result that follows from the above theorems. 



It is proven (with slight modification) by Paturi flïlfl in giving tight bounds for the lowest 
degree polynomial approximation to symmetric Boolean functions. 



Theorem 3.4 (Paturi []Ï9| 1). Let q(a) G R[a] be a polynomial of degree d, a and b be 
integers with a < b, and £ G [a, b] be a real number. If (1) \q{ï)\ < 1 for all integers 
i G [a,b]; and, (2) |<z(|_£j) — q(0\ ^ c f or some constant c > 0. Then, 

d=Çl(^/{t-a + l)(b-í+V 



In particular, 

d = n(Vb~ r a). 

As a convention, all random variables are uniform over their domain. 



4 Lower bound for the general collision problem 

4.1 The reduction 



Proof of Lemma 2.í. Let A be a quantum algorithm for Ü2^i(n, 3n/2). We shall derive 



an algorithm B for D^^iin, n). 

We call a function / half-two-to-one, if it is one-to-one on a half of its input, two-to-one 
on the other half, and, the two images are disjoint. Let p\ > 2/3, po < 1/3, and pi/ 2 be the 
acceptance probabilities of A with the input being a random two-to-one, one-to-one, and 
half-two-to-one function from [n] to [3n/2], respectively. Let / be the oracle function for the 

1/2 

D 2 _^i(n,n) problem. Then / is either half-two-to-one or two-to-one, with some additional 
constrains on the range. 

Pi/2 < 1/2; & will be the following: Choose random variables <x G /SG^n] and r G 
S"G[3n/2], then run A on / := Tíf(f). If / is two-to-one, the algorithm will accept with 
probability p\ > 2/3; otherwise it will accept with probability p\/2 < 1/2. 
Assume pi/2 > 1/2. Define / : [n] — > [3n/2] as: 

m:=i l + n/2 Íf ^)>™/ 2 ' (2 ) 
l/(i) otherwise. 

Notice that the oracle Oj can be simulated by two applications of 0/ together with some 
local unitary operators. Now B will be: Choose random variables cr G SG(n), and r G 
SG(3n/2), then run A on / := T%(f). 
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Note that for each i with f(i) £ [§+], f(i) is a distinct number in [3n/2]\[n/2]. There- 
fore, if / is half-two-to-one, / is one-to-one, in which case / is a random one-to-one function; 
thus B will accept with probability po < 1/3. On the other hand, if / is two-to-one, / is 
half-two-to-one, in which case / is a random half-two-to-one function; thus B will accept 
with probability > 1/2- □ 

4.2 Lower bound for the half-two-to-one problem 

1/2 

Fix a quantum algorithm for D 2 _ t \(n, n), and let P(f) be its acceptance probability. To 
prové an íí (n 1 / 3 ) lower bound for I?^ 1 (n, n), we need only to prové the lower bound for 
deg(P), by Lemma |3.l| . Define the symmetrization of P as 



P{f) '■ E aeSG(n),TeSG([n/2}),T , eSG(l%+}) 



(3) 



Definition 4.1. We call a pair of integers (m,g) vàlid, if < m < n, 1 < g < n, 2\m, 
g\m, and if g = 1, m < n/2. 



Given a vàlid (m,g), define f m) g : [n] — > [n] as follows: 
fm,gif) ~ 



\i/g] i€[m], 
\(i — m)/2] + n/2 otherwise. 



(4) 



Lemma 4.2. The function P{f m ,g) is a polynomial in m and g of degree < 2T . 



Proof. By Lemma [3JJ, it suffices to show that for each monomial I s , card(s) < 2T, the 
symmetrization I s is such a polynomial, where 



I S (fm,g) ■— ^ aTT ' Is [^ ToT f(fm,g) 

Let w := card(img(s) n [n/2]). Fix a sequence of elements in img(s) n [n/2], and let 
Ui,U2,··· ,u w be the corresponding sequence of sizes of preimages for the elements. Put 
u := J2J=i u j- Replacing [n] by [§+], we define u/, u'j, 1 < j < w', and u' , similarly. For 
integers a, b, P% := a(a — 1) • • • (a — b + 1). Put 



A := 



(n/2 - w)\(n/2 - w')\(n -u- u')\ 



n!(n/2)!(n/2)! 
By simple calculations, 

T ( f \ — \ JDW T[W pUi pW TTll) p a 

J-s\Jm,g) — * • r mjg ' LL j=l^g ^ n-m • üj=1 M 



(5) 



= A • np^m - g ■ j) ■ UJ =1 P^ ■ njLoHn - m - 2j) • n^P^ \ (6) 
which is a polynomial in m and g of degree 

w -(- (u - w) + w' + {vi - w') = u + v! = card(s) < 2T. 

□ 
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Proof of Theorem \2.\ Since deg(P(/ mg )) < 2T by the above lemma, it suffices to prové 
deg(P(/ W)J )) = fi(nV 3 ). 

Since P(f m ,g) is defined to be the acceptance probability for the oracle f m ,g-, 

< P{fm, g ) < 1, for all vàlid (m, g), (7) 

0< P(/n/2,i) < 1/3, and, 2/3 < P(/ n/2)2 ) < 1. (8) 

Put G := Ln 2 / 3 J, and Qx(a) := P(f n/2 , a ). Clearly, deg(Qi) < deg(P(/ m , g )). By 
Equations in |8[ 

|Qi(l) - Qi(2)\ = |P(/ n/2il ) - P(/„/a, 2 )| > 1/3. 

If |Qi(fc)| < 2 for all fe G [G], by Theorem Q deg(Qi) = ü (y/G^j, which implies 

deg(P(/ TOiS )) = ü (n 1 / 3 ). Otherwise, let g £ [G] be such that \Qi(g )\ > 2. 
PutG := L4J,and, 

Q 2 {a) := P{f2g a,g ), OC S [0,G ]. 

Then Go = ^(n 1 / 3 ), and deg(G;2) < deg(Q). Since > 2, (2igo,go) is vàlid for each 
i 6 [Gq], which implies < Q2(i) < lj by Eqn. ^. Since 



n 

V 4 W 



and < G2 



490 



Q 2 

< 1, we have 



\Hfn/2, 



í/o > 



\QAm)\ > 2, 



V 



.450. 



f n 



V 4 5o/ 



> 1. 



Applying Theorem 3.4, we have 
deg(Q 2 ) = Q 



n 



G - — + 1 

4^o 



which implies deg(P(/ miS )) = ü, (n 1 / 3 ). 
4.3 Generalizing to arbitrary r > 2 



□ 



Proof of Theorem \1. j . Combining Lemma [T^ and Theorem 2^ we obtain Theorem LI 



for the case r = 2. To generalize to arbitrary r > 2, we need only to replace Half-two-to- 

1/2 

one by Half -r-to-one, denoted by L> r L >1 (n, § + where the oracle is r-to-one mapped to 
[n/2 + l,n/2 + 2, • • • , n/2 + n/r] on n/2 inputs and the other n/2 inputs are mapped to 
[n/2] either r-to-one or one-to-one. In Definition 4.1, the condition 2\m for (m,g) being 
vàlid is replaced by r\m. 

In analogy to Lemma [2.2| , D r l_ >1 (n, § + 7) can be reduced to -D r _>i(n, 3n/2). To prové 
the ((n/r) 1 / 3 ) lower bound for the former, we need only to modify the proof for the latter 
by choosing appropriate parameters. That is, we set G := ( [(n/r) 2 / 3 J ) • r. We leave the 
remaining work for interested readers. □ 
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5 Lower bound for Collision with small range 

Let n and r be integers, and r\n. Fix a T-queries quantum black-box algorithm for 
D r _>i(n,n). Let P(f) be its acceptance probability. Instead of making a reduction, we 
need the following lemma. 

Lemma 5.1. For any partial assignment s, 

< P(s) < 1. 

Proof. Let Ut, < t < T, and P be the unitary operators and the final projection operator 
of the algorithm. Let P s be the operator that projects a state to the subspace spanned by 

{\i,j,l) : i G dom(s),j G [n],l G [L]} . 

Then it can be easily proved by induction that 

p(s) = ||pp s u T o :r p s • • • PsUiO^Uolo)!! 2 . 

The lemma follows. □ 
The symmetrization of P is defined as 

Now we call a pair of integers (m,g) vàlid if m G [n*], g G [n], and ff|m. Given a vàlid 
(m,g), define the partial function f mg as follows: 

fm, g : = {(h \i/g]) ■ i e HI • 



By Lemma 5.1 and the definition of P(f mg ), 

< P(fm, g ) < 1, for all vàlid (m, g). (9) 
By the correctness of the algorithm, 

2/3 < P(/ n ,i) < 1, and, < P(/ n , r ) < 1/3. (10) 

Lemma 5.2. T/ie function P(f mg ) can be expressed as a polynomial in m and g of degree 
< 2T. 



We omit the proof since it is in analogy to the proof for Lemma 4.2. 



Proof of Theorem l.í . By Lemma 5.2 , it suffices to prové deg(P(/ mi9 )) = ^((n/r) 1 / 4 ). 



The proof is similar to that for Theorem 2.3, and is much simpler. We leave the details to 



the reader. □ 
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6 Open problems 



Besides the two mentioned open problems, Collision with small range and Element Dis- 
tinctness, we raise two more. 

Definition 6.1. Two sets / = {/(l), f{2), ■ ■ ■ ,/(n)} and g = {g(l), g(2), ■ ■ ■ ,g(n)} are 
given as oracles with the promise that either f = gorfr\g = 0. The set equality 
problem is to distinguish these two cases. 

This is a special case of the two-to-one problem, and it closely models the Graph Iso- 
morphism problem. We are not able to prové any ív(1) lower bound, while we conjecture 
that it is as hard as the general Collision. A problem harder than the above is: 

Definition 6.2. Given n distinct numbers x±,X2, ■ ■ ■ ,x n , the index erasure problem is 

to generate a vector close to \4> x } = Y^7=l \ Xi )- 

This problem is equivalent to the following quantum-parallel search problem: Given 
an oracle described above, and the state \ 4> x ), generate a vector close to — ^ Y17=i ^ne 
can show that 0{^/n) queries are sufficient for both problems by using Grover's quantum 
search algorithm fï"5| . We conjecture that this is tight, though we are not able to prové any 
oj{1) lower bound. 
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